GNU-Darwin authentication and encryption position paper for the US

Dr. Michael L. Love

Fri Sep 14 12:41:32 PDT 2001

"Now that war has been declared on us, we will lead the world to
victory."
President George W. Bush

Personal encryption tools, such as GnuPG, are vital to our strength as a nation,
and such tools should be promoted in order to enhance the security of our
individual citizens and of our vital institutions as well. America will soon be
bringing all of its power to bear on the war against terrorism. With widespread
support from US citizens, the government will soon employ unprecedented steps to
vanquish the enemy, and they will succeed because of the strength of US
institutions, such as commerce, industry, and individual citizens. Such
entities will exert themselves as never before, but they will need a way to protect their
sensitive information from the prying eyes of the enemy. The widespread availability of
strong encryption tools will assist the cause of freedom by providing that protection for
America's vital interests.

GNU-Darwin has been at the cutting edge of freedom since the founding in November of
last year. In addition to providing over 75,000 free software downloads to the Apple
user community, we have been assisting the development of new free software tools, and
we have been helping new users to become acquainted with the value of software
freedom. We have served 350,000 page views, with 150,000 in July
alone; a clear indication that software freedom is gaining ground in the Apple
community.
We have been assisting the Free Dmitry movement in every way possible, so that this
admirable young man can go home to his family in Russia. Now, we are advocating
encryption freedom in order to strengthen the US in this time of trouble.

Encryption is not some obscure technology that is only used by our enemies.
Encryption software has many legitimate uses, which are vital to our national
infrastructure. Without encryption, there would be no ATM machines. Nearly everyone who has ever made a purchase on the web has used
encryption, and if you live in the US, it was certainly strong encryption. If
you made an online donation to help the people of New York City, then you
certainly used encryption, even though you may not have realized it. Such
encryption capabilities are vital,
because we do not want sensitive information such as credit card numbers to fall into
the hands of criminals or terrorists.

Encryption software could provide a novel and vital capability to our national
email system;
GnuPG and PGP can secure the email system through a process of authentication.
Voluntary adoption of authentication by email users would provide many national
security benefits. Using this software, email can be "signed" by the sender.
The recipient of a signed email can independently verify both the content of the
email and the email address of the originator. Although sensitive information
can easily be encrypted within this scheme, it is more common to use the "open-signing"
procedure, which leaves the text of the email open for all to read, but
also provides all of the security benefits of authentication. We feel strongly
that widespread adoption of open-signing technology is essential to the security
of the US email system in this time of crisis.

Policy makers might be tempted to enforce a top-down encryption and
authentication scheme which includes back doors for various parties. Such
measures may receive strong backing from certain vendors of proprietary encryption
solutions and web commerce interests, because they stand to benefit from an
exclusive government contract. Such a proprietary lock-out
would lead to a disastrous outcome in wartime, because back doors will
certainly be found and exploited by our enemies leading to unnecessary loss of
life. Moreover, a uniform encryption scheme leaves the US with far greater
vulnerability, when the scheme is inevitably broken by our enemies.
Monolithic authentication schemes are clearly not the answer, whereas
broad based diversity is a part of America's strength. Americans must be free
to make their own choices about encryption and authentication software, especially
now that we are all coming together for a common purpose.

Strong encryption may appear to present certain problems for law enforcement and national
security agents, but good citizens will immediately turn their encryption keys over
to government
agents in order to aid investigation in the event that foul play is
suspected. Meanwhile, our enemies will continue to use strong encryption
regardless of any legistlation. If they do not divulge their keys, then the government may pursue a
warrant and demand that the keys be made available. It may be necessary to give
such warrants additional legal force, by adding penalties for those who do not
comply with them.
Moreover, additional funding should be provided so that world
class computers and cryptology can be used to break the encryption devices of our
enemies.
This approach will eventually lead to dramatic improvements in the existing cryptographic
software, especially for the widely available free software encryption programs, which
are benefited by the open source development dynamic. We would suggest that
this compromise is in the best interest of our freedom and national security
during wartime preparations.

Conclusion

All US citizens should immediately start open-signing their email messages as a
voluntary act of patriotic duty. In addition, any information which would
assist our terrorist enemies should be encrypted as a matter of course. Let's
use this powerful software to help us win the war against terrorism.

Follow ups

Wed Sep 19 12:43:35 EDT 2001: Email authentication as described here
would have prevented much of the damage cause by the Nimda worm. Email worms can be
thwarted by an authentication system, because your email must be signed
with your passphrase before it is sent. If someone receives email from
you that is improperly signed, then they automatically know that
something went wrong. PGP could have prevented Nimda worm attacks via email.